Pages

Saturday, December 31, 2011

While I was watching 'The Pacific' movie suddenly I just get a Yahoo Messenger popup message from my old friend (which is he's already Rest-In-Peace on Aug 2009 ago). This is interesting and kind of surprise for me while seeing my very close friend suddenly 'wake-up' from his long rest. I was monitoring this scammer about few months ago after surprising his online status. Check this out from the chatting using web browser YM:

From the given shortened URL it will redirect user to the following URL:

http://yhoo-it.com/?id=4ccda25f27843014&s=1&user=matkamil2000

The URL seem to be already expired. But soon it will appeared again. The actual website will appear some kind of offering money that needs user to input their user name and email.

Let's take a look closer on the URL. The URL seem to be trying to fool the user that pretend it was coming from Yahoo. Based on whois information the URL was registered from China. Obviously.

The domain name seem to be newly registered and exactly the time I was start monitoring it. The domain has been pointed to two DNS ns7.cnmsn.net and ns8.cnmsn.net. The DNS server were also registered from China.

Since I don't trust any source from China even their web hosting provider, I make some Nmap scanning to seem what its got. The web server seem to be running on Unix machine with several web services port opened.

The Yahoo Messenger online status is coming from the expired phone number which probably has been taken by China scammer that live in Malaysia. Malaysia has multicultural country and it's not impossible that a Chinese from China can disguise as Chinese from Malaysia. Another thing is that probably the YM account has been stolen from his machine via malware infection.

Tuesday, December 6, 2011

A week ago as I checking for the new email and suddenly received an email with MS Word document as an attachment on my inbox (not spam box). This make me curious to know what the heck is that. Lets take a look closer. I rename the MSWord document to 'gigi.doc'. The .doc file size is about 160,192 bytes long.

The .doc file contain Rich Text Format (RTF) encoding format and we can see a lot of 0x41 slide until we found the exact shellcode within the slide character. Below show you the location of the exploit code in hex format:

As I convert the hex format to binary, we can see some interesting strings. I'm not sure why its trying to execute ping command to localhost. Well, after execute the malicious .doc file. It will create a file named csrss.exe (921C724CCB04B9F672B294FFFF83CE7B) and execute it then rename it to 'winword.exe'. Then it will launch the cmd.exe to execute the ping command to 127.0.0.1 with 1 byte. After that, the malware will execute a clean Word.doc file.

The running csrss.exe will create the Update.bat on user StartMenu startup folder with the following content:

Friday, December 2, 2011

I just received a laptop from a friend of mine that heavily infected with multiple viruses. I don't know how he can comfortably using it for few months until he felt so many annoying activities coming from the viruses. One of my interesting sample to be quickly analyze is W32/Ramnit. Based on few security blogs that I found this malware has been already discovered around April 2010. Let's check it out.

At the first detection I was notice that a lot of infections is coming from the HTML files (as Avira detecting so many HTML infection).

The HTML files contains a small VB Script that carrying embedded EXE files in Hex format that will drop in Windows temporary folder once user opening the infected HTML in their browser (only IE6 support VBScript). At the end of the infected HTML files seem to be a random garbage character in attempt to prevent a static size of HTML files.

Once the EXE file has been dropped, it will automatically execute the file. The EXE is about 108,032 bytes sizes (9B49FEC7E03C33277F188A2819B8D726). I'll explain quick going through what is the characteristic of the EXE file. The EXE has been compressed with UPX 3.03. Upon execution the following routine will be started:

Search for EXE, DLL and HTML file extensions.

Infect all EXE and DLL by creating additional .text section on the PE file.

Infect HTML files by overwriting it with VBScript and Hexdecimal format of the EXE file.

The infected PE file will be create an additional PE sections called .text as shown on image below:

A large size of additional .text section (about 540kb) created which is contains a malicious code. The EP has been modify to execute malicous code first and point it back to actual EP to execute original code.

Manual cleaning for this type of malware probably impossible for end-user. Mass infection on users PC make it difficult to remove. The best way to fix it is either using NOD32 On-Demand Scanner (Portable) or format your Hard drive and installing new Windows.